Support » Plugin: Wordfence Security - Firewall & Malware Scan » Every user accessing the site has same IP address

  • Our site and WP login was not able to be accessed due to this error:
    Your access to this site has been limited
    Your access to this service has been temporarily limited. Please try again in a few minutes. (HTTP response code 503)
    Reason: Blocked by Wordfence Security Network

    I was able to request an email and access the site (I did this through a VPN that used this New York IP: 162.244.81.236). I did a scan (no issues), checked the options and checked for recent login attempt messages. There were several detailing this IP: 143.95.66.49; also a message that this IP had been locked out several times:
    Wordfence has blocked IP address 143.95.66.49.
    The reason is: “Exceeded the maximum number of page not found errors per minute for a crawler.”.
    User IP: 143.95.66.49
    User hostname: ip-143-95-66-49.iplocal
    User location: Los Angeles, United States

    However when I went to Blocked IPs that IP was not there. When I tried to manually block it I couldn’t because the error message said that 143.95.66.49 was my IP!

    When I look at live traffic I can see that EVERY user for the last two hours has been coming from that IP: 143.95.66.49 which is impossible. I even left the VPN and still live traffic is saying I am coming from 143.95.66.49 however I am in Laos with IP: 103.240.243.4

    To check if it was my computer my husband also logged into the site and both his login and my logout had the same (wrong) IP: 143.95.66.49

    The site is http://wiglaos.org/. Any help or suggestions will be greatly appreciated.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hi asaracena,
    Thanks for the elaborate description of your issue. If all the IPs in Live Traffic are coming up as your servers IP you may have to change how Wordfence gets IPs. You can read a bit more about that here.

    Please note that there is another possible reason which has to do with a bug in the Firewall relating to the “X-Forwarded-For” header. If your site is currently set to use “X-Forwarded-For” and this seems to have happened recently, you want to instead activate the option “Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early)” on the Wordfence Firewall page until the next version of Wordfence is released.

    You can check if your site is using the “X-Forwarded-For” header on the Wordfence diagnostics page in the section “IPs”.

    Hope that helps!

    Hi wfasa,

    I checked the WordFence diagnostics page and you are correct that someone (not me or anyone else who accesses this site) set the “X-Forwarded-For”:
    REMOTE_ADDR 143.95.66.49
    CF-Connecting-IP (not set)
    X-Real-IP 103.240.243.4
    X-Forwarded-For 103.240.243.4

    I did activate the “Delay IP and Country blocking until after WordPress and plugins have loaded” but that doesn’t seem to be having any affect since I WF is still seeing me as 143.95.66.49 (probably due to the above X-Forwarded-For).

    How do I take off the “X-Forwarded-For”? I’m sure this was somehow done maliciously to try to hack our site. Is this something I should notify our host about?

    Thanks for your help, hope to solve this by removing the X-Forwarded-For.

    I notified the host today and it turns out our website shared server IP (Arvixe) is 143.95.66.49

    Because of this I can’t help but believe that since all of our traffic is showing up in Live Traffic with that IP that it’s a bug. They have put in a ticket to check the server but I don’t really know what to do except wait until your next update and hope that solves the issue.

    Hi again,
    that you have X IPs set indicates that you probably have a proxy in which case you should be using X-Real-IP or X-Forwarded-For for how Wordfence gets IPs on the Wordfence “Options” page. Have a look there and see which one you are using. Your X-Forwarded-For from the Diagnostics page actually looks normal so I don’t think you should be affected by the bug described above.

    When you say “you probably have a proxy” do you mean my host (Arvixe)?

    I changed the way WordFence gets IPs in the Options to use X-Real-IP and now the Live Traffic shows the correct IPs.

    My concern is the possibility of spoofing – how serious is this possibility? Is there anything I can do to prevent spoofing when using X-Real-IP?

    Another issue is that since this problem began almost every time I try to log out of WordPress admin I get a “Page not found” error. Any idea why this is happening? Is it connected or just random that it started happening at the same time?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Every user accessing the site has same IP address’ is closed to new replies.